Xl2tp + strongswan ipsec — xl2tp timeout

I'm trying to connect to a ipsec/l2tp vpn from a private network behind a nat-router. It works from different windows clients, but from my linux machine (openSuSE 12.3, stronswan 5.1.3, xl2tp 1.3.0) I don't manage to connect. First problem was, that the server seems to handle just IKE v1 protocol. "keyexchange = ikev1" in ipsec.conf solved this issue. Now "ipsec statusall" shows:

Status of IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-53-desktop, x86_64):
  uptime: 6 minutes, since Dec 20 01:08:01 2016
  malloc: sbrk 2838528, mmap 0, used 652816, free 2185712
  worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
  client_ip
Connections:
    L2TP-PSK:  %any...server_ip  IKEv1
    L2TP-PSK:   local:  [client_ip] uses pre-shared key authentication
    L2TP-PSK:   remote: [server_ip] uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp] === dynamic[udp/l2f] TRANSPORT
Security Associations (1 up, 0 connecting):
    L2TP-PSK[1]: ESTABLISHED 6 minutes ago, client_ip[client_ip]...server_ip[server_ip]
    L2TP-PSK[1]: IKEv1 SPIs: a505b49c4edac068_i* 829bf572900386be_r, pre-shared key reauthentication in 7 hours
    L2TP-PSK[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

So everything seems fine on the side of ipsec
When starting the l2tp protocol with "echo "c connection_name" > /var/run/xl2tpd/l2tp-control" I just see some timeouts in the systemlog:

    xl2tpd[16779]: get_call: allocating new tunnel for host server_ip, port 1701.
    xl2tpd[16779]: Connecting to host server_ip, port 1701
    xl2tpd[16779]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.

xl2tpd[16779]: control_finish: sending SCCRQ
    xl2tpd[16779]: network_thread: select timeout
    ... (5x)
    Maximum retries exceeded for tunnel 55245.  Closing.
    network_thread: select timeout
    ... (5x)
    Unable to deliver closing message for tunnel 55245. Destroying anyway.

Watching the traffic with

tcpdump host server_ip and port l2tp

shows only the following:

12:58:39.221494 IP client_ip.l2f > server_ip.l2f:  l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(AS) *BEARER_CAP() *FIRM_VER(1680) *HOST_NAME(my_site) *VENDOR_NAME(xelerance.com) *ASSND_TUN_ID(49091) *RECV_WIN_SIZE(4)

repeatet 5 times and later 3 times:

12:58:44.226892 IP client_ip.l2f > server_ip.l2f:  l2tp:[TLS](0/0)Ns=1,Nr=0 *MSGTYPE(StopCCN) *ASSND_TUN_ID(49091) *RESULT_CODE(1/0 Timeout)

Obviously there is no answer from the server to the l2tp packages. But as said before, it works with several windows clients
What could be wrong?

What can I do, to get more information about the l2tp connection?

I switched on all debugging option in the xl2tp.conf already.
Here are my conf-files:

ipsec.conf

conn L2TP-PSK
        keyexchange = ikev1
        authby=secret
        auto=start
        keying=1
        rekey=yes
        ikelifetime=8h
        keylife=1h
        type=transport
        left=%any
        leftprotoport=udp/%any
        right=server_ip
        rightprotoport=udp/l2tp

xl2tp.conf

[global]
access control = yes
auth file = /etc/xl2tpd/l2tp-secrets
debug avp = yes
debug network = yes
debug state = yes
debug tunnel = yes

[lac connection_name]
lns = server-ip
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.connection_name
length bit = yes
require authentication = yes
require chap = yes
refuse pap = yes
name = my_loginname

Best Answer

I was able to get this working in my case (Ubuntu) by using the NetworkManager L2TP plugin and forcing only the specific encryption algorithm supported by the server.

To discover the algorithms supported by your server you can use ike-scan which may be in the package repository or you can find an equivalent script here.

sudo apt-get install ike-scan
sudo ike-scan <address.of.server>

Then once you know the supported protocols you can put them into the config files or use the GUI by installing the below.

sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp  
sudo apt-get update  
# leave off gnome if using Unity/KDE
sudo apt-get install network-manager-l2tp-gnome

http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/

http://disq.us/p/1jcput9

Best Answer

Related Solutions

IPsec/L2TP VPN with OSX client: xl2tpd reports “maximum retries exceeded”

PfSense/strongSwan “deleting half open IKE_SA after timeout” – IPSec connection Android 4.4 to pfSense 2.2.1 fails

Related Topic